Scopes and permissions: OAuth2

When an EHR user launches your app, you get a “launch request” notification.
Just ask for the permissions you need using OAuth scopes like patient/*.read
and once you’re authorized you’ll have an access token with the permissions you
need – including access to clinical data and context like:

which patient is in-context in the EHR

which encounter is in-context in the EHR

the physical location of the EHR user

Simple sign-in: OpenID Connect

If your app needs to authenticate the EHR end-user, OpenID Connect is there to
help. Just ask for one additional scope (openid) when you request
authorization, and you’ll have access to a UserInfo endpoint that exposes
structure claims about the user, including name and NPI.

Lightweight UI integration: HTML5

Need to hook your app into an existing EHR user interface? SMART on FHIR allows
web apps to run inside browser widgets or inline frames, so users can interact
without leaving the EHR environment. Of course, native and mobile apps are
supported too – so you can choose the level of integration that makes sense
for you.